rickard.bellgrim at iis.se
Thu Dec 9 10:15:09 UTC 2010
On 8 dec 2010, at 11.14, Sion Lloyd wrote:
>> The rollover procedures are still quite a mess. Could you perhaps propose
>> how we should do this in a clean way, so that the
>> DelegationSignerSubmitCommand also function as intended?
> The only way I can think to make this clean is to force a pure rollover scheme
> on the user... This would mean disabling the no-retire flag and having the
> dssub command only send the new key.
> Is this too draconian and restrictive though? Keep in mind that this might be
> the only KSK rollover scheme available for the next two releases...
What do you Jakob say about this?
> Is it too late in the release to introduce a new flag or rollover option
> "strict" which forces this behaviour? (I think so, but will work on this if we
> think it is really needed.)
Yeah, new feature is too late. And another flag will confuse it even more.
> We could document the current situation and fix this either after the release
> in 1.2 or for 1.3 (which I believe will not have the new enforcer code)?
Ok, yes. The option is to fix this in 1.2 or 1.3. Do we have any comments on this?
More information about the Opendnssec-develop